The iClicker website was compromised through a ClickFix social engineering attack involving a fake CAPTCHA prompt that tricked users into executing malicious PowerShell scripts. This attack potentially allowed hackers to install malware and steal sensitive data from students and instructors using the platform.
Affected: iClicker, University of Michigan, students, instructors
Affected: iClicker, University of Michigan, students, instructors
Keypoints
- The iClicker website was targeted between April 12 and April 16, 2025, to display a fake CAPTCHA designed to deceive users.
- The fake CAPTCHA instructed users to run a copied PowerShell script, which was embedded in the clipboard, leading to malware download and execution.
- The PowerShell script connected to a remote server to retrieve obfuscated malicious payloads, varying based on the visitor type.
- Malware installed potentially included info stealers capable of extracting credentials, cookies, passwords, and cryptocurrency wallet data.
- The attack utilized social engineering tactics similar to those used in phishing campaigns, often involving fake CAPTCHA prompts.
- Authorities and platforms advised users to immediately change passwords and run security scans if they encountered the fake CAPTCHA.
- iClicker published a security bulletin stating they resolved the vulnerability and clarified that only users who interacted with the fake CAPTCHA are at risk.